{ "threat_severity" : "Moderate", "public_date" : "2017-05-11T00:00:00Z", "bugzilla" : { "description" : "postgresql: Selectivity estimators bypass SELECT privilege checks", "id" : "1448078", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1448078" }, "cvss3" : { "cvss3_base_score" : "4.3", "cvss3_scoring_vector" : "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "status" : "verified" }, "cwe" : "CWE-862", "details" : [ "It was found that some selectivity estimation functions in PostgreSQL before 9.2.21, 9.3.x before 9.3.17, 9.4.x before 9.4.12, 9.5.x before 9.5.7, and 9.6.x before 9.6.3 did not check user privileges before providing information from pg_statistic, possibly leaking information. An unprivileged attacker could use this flaw to steal some information from tables they are otherwise not allowed to access.", "It was found that some selectivity estimation functions did not check user privileges before providing information from pg_statistic, possibly leaking information. A non-administrative database user could use this flaw to steal some information from tables they are otherwise not allowed to access." ], "acknowledgement" : "Red Hat would like to thank the PostgreSQL project for reporting this issue. Upstream acknowledges Robert Haas as the original reporter.", "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 7", "release_date" : "2017-08-01T00:00:00Z", "advisory" : "RHSA-2017:1983", "cpe" : "cpe:/o:redhat:enterprise_linux:7", "package" : "postgresql-0:9.2.21-1.el7" }, { "product_name" : "Red Hat Satellite 5.7", "release_date" : "2017-08-07T00:00:00Z", "advisory" : "RHSA-2017:2425", "cpe" : "cpe:/a:redhat:network_satellite:5.7::el6", "package" : "rh-postgresql95-0:2.2-3.el6" }, { "product_name" : "Red Hat Satellite 5.7", "release_date" : "2017-08-07T00:00:00Z", "advisory" : "RHSA-2017:2425", "cpe" : "cpe:/a:redhat:network_satellite:5.7::el6", "package" : "rh-postgresql95-postgresql-0:9.5.7-2.el6" }, { "product_name" : "Red Hat Satellite 5.7", "release_date" : "2017-08-07T00:00:00Z", "advisory" : "RHSA-2017:2425", "cpe" : "cpe:/a:redhat:network_satellite:5.7::el6", "package" : "spacewalk-backend-0:2.3.3-53.el6sat" }, { "product_name" : "Red Hat Satellite 5.7", "release_date" : "2017-08-07T00:00:00Z", "advisory" : "RHSA-2017:2425", "cpe" : "cpe:/a:redhat:network_satellite:5.7::el6", "package" : "spacewalk-postgresql-server-0:9.5-1.el6sat" }, { "product_name" : "Red Hat Satellite 5.7", "release_date" : "2017-08-07T00:00:00Z", "advisory" : "RHSA-2017:2425", "cpe" : "cpe:/a:redhat:network_satellite:5.7::el6", "package" : "spacewalk-setup-postgresql-0:2.3.0-27.el6sat" }, { "product_name" : "Red Hat Satellite 5.7", "release_date" : "2017-08-07T00:00:00Z", "advisory" : "RHSA-2017:2425", "cpe" : "cpe:/a:redhat:network_satellite:5.7::el6", "package" : "spacewalk-utils-0:2.3.2-32.el6sat" }, { "product_name" : "Red Hat Satellite 5.7", "release_date" : "2017-08-07T00:00:00Z", "advisory" : "RHSA-2017:2425", "cpe" : "cpe:/a:redhat:network_satellite:5.7::el6", "package" : "spacewalk-web-0:2.3.2-35.el6sat" }, { "product_name" : "Red Hat Satellite 5.7", "release_date" : "2017-08-07T00:00:00Z", "advisory" : "RHSA-2017:2425", "cpe" : "cpe:/a:redhat:network_satellite_managed_db:5.7::el6", "package" : "rh-postgresql95-0:2.2-3.el6" }, { "product_name" : "Red Hat Satellite 5.7", "release_date" : "2017-08-07T00:00:00Z", "advisory" : "RHSA-2017:2425", "cpe" : "cpe:/a:redhat:network_satellite_managed_db:5.7::el6", "package" : "rh-postgresql95-postgresql-0:9.5.7-2.el6" }, { "product_name" : "Red Hat Satellite 5.7", "release_date" : "2017-08-07T00:00:00Z", "advisory" : "RHSA-2017:2425", "cpe" : "cpe:/a:redhat:network_satellite_managed_db:5.7::el6", "package" : "spacewalk-backend-0:2.3.3-53.el6sat" }, { "product_name" : "Red Hat Satellite 5.7", "release_date" : "2017-08-07T00:00:00Z", "advisory" : "RHSA-2017:2425", "cpe" : "cpe:/a:redhat:network_satellite_managed_db:5.7::el6", "package" : "spacewalk-postgresql-server-0:9.5-1.el6sat" }, { "product_name" : "Red Hat Satellite 5.7", "release_date" : "2017-08-07T00:00:00Z", "advisory" : "RHSA-2017:2425", "cpe" : "cpe:/a:redhat:network_satellite_managed_db:5.7::el6", "package" : "spacewalk-setup-postgresql-0:2.3.0-27.el6sat" }, { "product_name" : "Red Hat Satellite 5.7", "release_date" : "2017-08-07T00:00:00Z", "advisory" : "RHSA-2017:2425", "cpe" : "cpe:/a:redhat:network_satellite_managed_db:5.7::el6", "package" : "spacewalk-utils-0:2.3.2-32.el6sat" }, { "product_name" : "Red Hat Satellite 5.7", "release_date" : "2017-08-07T00:00:00Z", "advisory" : "RHSA-2017:2425", "cpe" : "cpe:/a:redhat:network_satellite_managed_db:5.7::el6", "package" : "spacewalk-web-0:2.3.2-35.el6sat" }, { "product_name" : "Red Hat Satellite 5.8", "release_date" : "2017-07-31T00:00:00Z", "advisory" : "RHSA-2017:1838", "cpe" : "cpe:/a:redhat:network_satellite:5.8::el6", "package" : "rh-postgresql95-postgresql-0:9.5.7-2.el6" }, { "product_name" : "Red Hat Satellite 5.8", "release_date" : "2017-07-31T00:00:00Z", "advisory" : "RHSA-2017:1838", "cpe" : "cpe:/a:redhat:network_satellite_managed_db:5.8::el6", "package" : "rh-postgresql95-postgresql-0:9.5.7-2.el6" }, { "product_name" : "Red Hat Satellite 5.8 ELS", "release_date" : "2017-07-31T00:00:00Z", "advisory" : "RHSA-2017:1838", "cpe" : "cpe:/a:redhat:network_satellite:5.8::el6", "package" : "rh-postgresql95-postgresql-0:9.5.7-2.el6" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 6", "release_date" : "2017-07-05T00:00:00Z", "advisory" : "RHSA-2017:1677", "cpe" : "cpe:/a:redhat:rhel_software_collections:2::el6", "package" : "rh-postgresql95-postgresql-0:9.5.7-2.el6" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 6", "release_date" : "2017-07-05T00:00:00Z", "advisory" : "RHSA-2017:1678", "cpe" : "cpe:/a:redhat:rhel_software_collections:2::el6", "package" : "rh-postgresql94-postgresql-0:9.4.12-1.el6" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS", "release_date" : "2017-07-05T00:00:00Z", "advisory" : "RHSA-2017:1677", "cpe" : "cpe:/a:redhat:rhel_software_collections:2::el6", "package" : "rh-postgresql95-postgresql-0:9.5.7-2.el6" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS", "release_date" : "2017-07-05T00:00:00Z", "advisory" : "RHSA-2017:1678", "cpe" : "cpe:/a:redhat:rhel_software_collections:2::el6", "package" : "rh-postgresql94-postgresql-0:9.4.12-1.el6" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date" : "2017-07-05T00:00:00Z", "advisory" : "RHSA-2017:1677", "cpe" : "cpe:/a:redhat:rhel_software_collections:2::el7", "package" : "rh-postgresql95-postgresql-0:9.5.7-2.el7" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date" : "2017-07-05T00:00:00Z", "advisory" : "RHSA-2017:1678", "cpe" : "cpe:/a:redhat:rhel_software_collections:2::el7", "package" : "rh-postgresql94-postgresql-0:9.4.12-1.el7" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS", "release_date" : "2017-07-05T00:00:00Z", "advisory" : "RHSA-2017:1677", "cpe" : "cpe:/a:redhat:rhel_software_collections:2::el7", "package" : "rh-postgresql95-postgresql-0:9.5.7-2.el7" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS", "release_date" : "2017-07-05T00:00:00Z", "advisory" : "RHSA-2017:1678", "cpe" : "cpe:/a:redhat:rhel_software_collections:2::el7", "package" : "rh-postgresql94-postgresql-0:9.4.12-1.el7" } ], "package_state" : [ { "product_name" : "CloudForms Management Engine 5", "fix_state" : "Affected", "package_name" : "rh-postgresql94-postgresql", "cpe" : "cpe:/a:redhat:cloudforms_managementengine:5" }, { "product_name" : "CloudForms Management Engine 5", "fix_state" : "Affected", "package_name" : "rh-postgresql95-postgresql", "cpe" : "cpe:/a:redhat:cloudforms_managementengine:5" }, { "product_name" : "Red Hat Enterprise Linux 5", "fix_state" : "Will not fix", "package_name" : "postgresql", "cpe" : "cpe:/o:redhat:enterprise_linux:5" }, { "product_name" : "Red Hat Enterprise Linux 5", "fix_state" : "Will not fix", "package_name" : "postgresql84", "cpe" : "cpe:/o:redhat:enterprise_linux:5" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Will not fix", "package_name" : "postgresql", "cpe" : "cpe:/o:redhat:enterprise_linux:6" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2017-7484\nhttps://nvd.nist.gov/vuln/detail/CVE-2017-7484\nhttps://www.postgresql.org/about/news/1746/" ], "name" : "CVE-2017-7484", "csaw" : false }